APT37 Hackers Use Google Find Hub to Wipe Android Data
▼ Summary
– North Korean hackers are using Google’s Find Hub tool to track GPS locations and remotely factory-reset Android devices, primarily targeting South Koreans through KakaoTalk messenger.
– The attacks are linked to the KONNI activity cluster, which overlaps with Kimsuky and APT37 groups and uses spear-phishing messages spoofing South Korean agencies to deliver malware.
– Malware execution involves digitally signed MSI attachments that deploy scripts for persistence, remote access, and credential harvesting from Google and Naver accounts.
– Attackers abuse compromised accounts to remotely wipe Android devices via Find Hub, deleting data and disrupting communications to isolate victims and spread malware to contacts.
– Google states no security flaw was exploited, emphasizing the need for 2-Step Verification and the Advanced Protection Program to defend against credential theft and account abuse.
A sophisticated cyber-espionage campaign is leveraging Google’s Find Hub service to remotely erase Android devices and track user locations, with North Korean hackers specifically targeting South Korean individuals. This malicious operation begins when attackers initiate contact through KakaoTalk, the nation’s dominant messaging platform. Cybersecurity experts at Genians have connected this activity to a KONNI malware cluster, noting its shared infrastructure and targets with known threat groups APT37 (ScarCruft) and Kimsuky (Emerald Sleet). These actors have historically focused on sectors including government, education, and cryptocurrency.
The KONNI campaign deploys remote access trojans on victim computers, allowing the exfiltration of sensitive information. Wiping Android devices serves multiple purposes for the attackers: isolating the victim, erasing digital footprints, delaying system recovery, and suppressing security notifications. By resetting the device, they also disconnect active KakaoTalk sessions on PCs, which they then hijack to distribute malware to the victim’s contacts.
The infection process starts with highly targeted spear-phishing messages that impersonate South Korean authorities such as the National Tax Service or police departments. When the victim opens a digitally signed MSI file, sometimes concealed within a ZIP archive, it triggers an embedded install.bat file along with a decoy error.vbs script that displays a fake “language pack error” message. This batch file executes an AutoIT script named IoKITr.au3, which establishes persistence on the system via a scheduled task. The script then communicates with a command-and-control server to download additional modules, granting the hackers remote access, keylogging functions, and the ability to introduce further malicious payloads.
According to Genians, these secondary payloads include well-known remote access trojans like RemcosRAT, QuasarRAT, and RftRAT. These tools are used to harvest login credentials for Google and Naver accounts. Once the attackers gain access, they can modify security settings, delete logs that would reveal the breach, and log into the victim’s Gmail or Naver mail.
Using the compromised Google account, the threat actors access Google Find Hub, the default “Find my Device” feature for Android, to locate registered devices via GPS and issue remote reset commands. In one documented case, attackers targeted a counselor providing psychological support to North Korean defector youth. After compromising the counselor’s KakaoTalk account, they sent a malicious file disguised as a “stress relief program” to a student who was a defector. The hackers reportedly used GPS data to time the device wipe for when the target was away from home and less able to respond immediately.
During these attacks, the threat actors executed remote reset commands on all registered Android devices, leading to permanent data loss. In several instances, they ran the wipe command three times, making device recovery practically impossible. With the mobile device neutralized, the attackers used the victim’s still-active KakaoTalk session on the infected computer to send malicious files to their contact list. Genians observed a repeat of this attack pattern on September 15 against another victim.
To defend against such threats, users should enable multi-factor authentication on their Google accounts and ensure they have access to a recovery email or phone number. When receiving files through messaging apps, always verify the sender’s identity through a direct phone call before opening any attachments. Google has clarified that this attack did not exploit any vulnerability in Android or Find Hub, emphasizing that the compromise resulted from stolen credentials. The company strongly recommends enabling two-step verification or passkeys, with high-risk users encouraged to enroll in Google’s Advanced Protection Program for maximum security. Genians has published a detailed technical analysis of the malware along with indicators of compromise to assist in detection and mitigation.
(Source: Bleeping Computer)